Many people have a fear of malware.  We download antivirus software, we are careful not to respond to scam emails, and we no longer use the free file-sharing client, LimeWire.  However, often even the tech-literate don’t actually know the difference between types of malwares.  We know they are harmful, but what is a Trojan actually?  Is a Worm different than a Virus?  How can there be malware that doesn’t include any files?  As Miyamoto Musashi says, “To defeat your enemy, you must first understand him”.  Let’s explore the different types of malwares out there so that we understand our enemy.

 

The Types of Malwares

Malware is a very broad term, but all malware is simply malicious software.  Below are some of the common types of malwares that the average user could encounter.

  • Viruses
  • Worms
  • Trojans
  • Ransomware
  • Spyware
  • Adware
  • Rootkits
  • Fileless Malware

The goal of malware infecting an individual’s computer is either to steal their data or to steal their money.  There are other types of malwares that target corporations. For example, a large corporation might be the target of a Distributed Denial of Service (DDoS) attack by a botnet, but the average person would not be.  We’ll focus on the kinds of malwares that are an immediate threat to individual users.

 

Viruses

The classic computer virus is probably the most talked about of all malware, and other kinds of malware get attributed to it, however, a virus is not just any malware on a computer.  A virus is a program that is self-replicating and needs a “host” program to be activated.  The virus can do a wide range of things from stealing data and information to damaging the computer.  All viruses will have the following traits:

  • Viruses Must Have a Host
    This means that all viruses reside in another program.  It could be a Microsoft Word document, an email, or some executable program downloaded from the internet.  A virus is not independent of another program.
  • Dormant until Activated
    Viruses, because they reside in other programs, do not activate on their own.  A user must activate the program containing the virus in order for the virus to run.  This means that if a user downloads an infected program online, but has not opened the program, the virus will not activate. 
  • Self-Replicating
    A virus creates copies of itself.  Often this means that the virus will inject its viral code into other programs on the computer, meaning other programs on the computer can now be infected.  The virus often will try to spread to other computers through the same network, such as emailing all your contacts with an infected program, as well as infecting any removable media like USBs that are attached to your device. 

Viruses can be classified by the host they infect.  They can be divided into two camps: Resident Virus and Non-Resident Virus.  A Resident Virus is the kind that is more difficult to remove. They infect part of the computer’s memory and activate if the computer is running.  The worst of these would be the Boot Sector Virus, which activates before the rest of the computer activates.  This means that as long as the computer is running, if a Boot Sector Virus has infected the computer, then the virus is also running.

Non-Resident Viruses are more common, however.  These often are File Infector Viruses, which are activated when a user activates an infected program.  A virus that is growing in popularity is the Macro Virus, which hides in a Microsoft Word or Excel program.  When a user opens the document, the virus doesn’t activate right away; instead, the user is prompted to enable Macros.  Macros are short cuts in Microsoft Word or Excel that are often used for harmless purposes but can be used by a virus. 

The good news is that viruses are the most known kind of malware and are often some of the easiest to remove.  Staying up to date with the latest antivirus software will usually keep a computer safe and help remove viruses that have already infected a computer.  Though free antivirus does exist, I recommend buying one of the well-known antivirus brands such as Norton or McAfee.  Because a virus needs a host program, the antivirus software can easily scan a computer for infected files, identify them, and prevent them from running.  This keeps the viruses in their dormant state until they are safely deleted.

 

Worm

The worm is very similar to a virus.  They replicate in the computer and attempt to infect other computers within the same system.  However, unlike a virus, a worm does not need a host.  This makes them a little more dangerous to deal with.  All Worms will have the following traits:

  • Network-Based Propagation
    A worm does not need a host to spread, but it still needs to infect your computer somehow.  They spread through emails, downloads from the internet, or through unsecured networks.
  • Self-Replicating
    A worm is a self-replicating program.  Once a computer is infected, it will try to infect other computers, if possible, through methods such as emailing contacts known to the user or through unsecure internet connections. 
  • Independent
    Worms do not attach themselves to other programs.  They activate on their own and can spread without the user taking any action. 

If a worm is able to infect a computer, it is often more dangerous than a virus.  It does not rely on the user to take any action to infect their computer or to activate.  Typically, to avoid detection, the worm will activate itself at random times rather than always being active.  There are a few types of worms that are categorized by how they spread. 

Email Worms and Instant Messaging Worms are similar in the fact they often spread in a weakness in security related to communication.  The danger with these is that, once a computer is infected, there is a high likelihood of the worm attempting to spread to all the user’s contacts. 

Internet Worms and Network Worms operate through the computer’s connection to the internet, often over a simple unsecure connection.  These types of worms are most often picked up during business trips or vacations, where the user connects to an unfamiliar Wi-Fi.  Internet Worms find a user when they activate an infected website, while a Network Worm infects a user who is connected to an already infected network.  In either case, the user is using a non-secured internet connection.

The last kind of worm is the File-Sharing Worm.  Many websites where users download unfamiliar or untrusted files spread these worms, such as the music sharing website Lime-Wire, which became famous for the spread of malware.  This is called a peer-to-peer (P2P) platform, a website where strangers share files with other strangers frequently. 

Worms can be stopped through two reliable methods.  One is the Firewall on a computer, which prevents unknown programs from downloading onto the computer without permission or activating without the user’s permission or knowledge.  This prevents most Network and Internet Worms.  A strong antivirus software will also help remove any worms detected on a computer.  The best way to prevent a worm is to user only trusted and secure internet connections and avoid downloading suspicious software. 

 

Trojan

A Trojan Horse, or Trojan, is a deceptive program that pretends to be a legitimate or benign program.  Just like its name implies, it hides malicious software.  All Trojans have the following traits:

  • Deceptive Appearance
    Trojans get access to a computer by pretending to be harmless.  They might pretend to be a game, an update, or even a utility program like a text-to-speech program. 
  • User Activated
    Trojans must be activated to be harmful.  Because they look like normal programs, users will install the harmful software.  Only during the activation of the program does a Trojan activate.
  • Non-Self-Replicating
    Unlike a virus or a worm, a Trojan does not replicate itself onto other computers.  Instead, they rely on users downloading them from the internet.

Trojans are particularly good at staying undetected because, unlike viruses or worms, they often disguise themselves as legitimate software. In fact, many Trojans will include the helpful software they promise in order to remain hidden longer.  For example, a Trojan that disguises itself as a game may actually have the game included, but it will also run the harmful software along with it. 

Since Trojans are installed by the user, they often gain more access to a computer than a typical virus or worm. During installation, the user is prompted to grant elevated permissions, unknowingly trusting the Trojan to make system changes. This leads to various types of Trojans, such as Backdoor Trojans, Spyware Trojans, and Remote Access Trojans (RATs). In fact, there are too many types to cover in detail, making them highly versatile and dangerous.

Trojans, like viruses and worms, can be removed with good antivirus software. However, the best defense is avoiding their download in the first place. Since Trojans rely on deception, users who are well-informed are less likely to fall victim. Safe computing practices include downloading software only from trusted sources and researching unfamiliar programs before installation. If there is uncertainty about the trustworthiness of a program, it’s best not to install it. For programs claiming to be from reputable companies like Chase Bank or Facebook, contacting their customer service can verify legitimacy.

 

Ransomware

Ransomware is a type of malware that holds a user’s computer or data for ransom.  It is often one of the most intimidating forms of malware, as it directly threatens both the user and their data. Ransomware typically will have the following traits:

  • Encryption or Lockout
    The ransomware restricts access to the user's data, either by encrypting files, locking the user out of the system, or both.
  • Ransom Demand
    As the name suggests, ransomware demands payment, often threatening to delete or permanently withhold the data unless the ransom is paid. It usually includes instructions on how to make the payment.

Ransomware that locks a user out of their system can be highly frustrating. It typically activates at bootup, preventing access to the operating system or even the login screen. This full lockout often means standard antivirus software cannot be activated to remove the ransomware. In some cases, the ransomware may be what’s called 'Scareware,' where the data remains safe, and the threat is more of an annoyance than a danger.

However, in more serious cases, the ransomware encrypts the computer's data, posing a genuine threat. Encryption scrambles the data, rendering it unusable unless a decryption key is applied. If the key is destroyed, the data becomes permanently inaccessible, potentially causing irreparable damage, loss of important memories, or making the computer completely inoperable.

The good news is that modern antivirus software can block most types of ransomware. The bad news is that if ransomware does infect a computer, it’s nearly impossible to resolve. If ransomware is detected, follow these steps:

  1. Do NOT Pay the Ransom
    Paying doesn’t guarantee the attacker will return access to the data, and it could also expose sensitive financial information, risking both the data and money.
  2. Disconnect the Computer
    Some ransomware relies on an internet connection for the attacker to issue a command to delete data or encryption keys. Even if there’s a countdown timer, disconnect the computer immediately. In some cases, removing the power source prevents the ransomware from operating. While data may be encrypted, it will still exist. The countdown is often a scare tactic, and the attacker typically benefits from scaring a user into paying, not destroying data.
  3. Contact the Authorities
    Ransomware is illegal and has a high likelihood of being traced back to its source by the authorities. They may even assist in removing the ransomware and recovering the user’s data in some cases.

Unfortunately, the only reliable protection must be set up before an infection occurs. Regularly creating backups of data ensures a safe state for the computer to be restored. If ransomware infects a system but a recent backup exists, the ransomware becomes much less effective. However, attackers may still attempt to steal information, so the steps previously mentioned should still be followed to prevent further harm.

 

Spyware

Spyware is one of the most challenging types of malware to detect. It typically doesn’t disrupt the user’s experience or alter how the system functions, operating in the background like a stealthy spy. Common traits of spyware include:

  • Data Collection
    All spyware is designed to gather information, from browsing history to sensitive data like banking credentials.     
  • Data Transmission
    Once collected, the data must be transmitted to the attacker. This is often when antivirus software detects the spyware.

Although this list seems brief, spyware is incredibly versatile in how it infects a system and the types of data it seeks. Paradoxically, the most malicious spyware often tries to steal the smallest amount of information possible, as stealing large amounts increases the chance of detection. For example, some spyware only activates when a user logs into a banking website, while others only trigger during online shopping. Spyware can be classified by the type of data it targets:

  • Cookie Trackers
    This spyware type steals data from browser cookies, which store small pieces of information like user preferences and login details. Since cookies already contain data, the spyware’s task is simply to transmit that information to the attacker. Unfortunately, many users save passwords as cookies, making this a particularly dangerous form of spyware. 
  • System Monitor Spyware
    This type monitors a range of activities such as emails, chats, websites visited, and applications used. The collected data is often sold to data brokers to create targeted ads, but it can also include financial details, such as banking credentials. 
  • Blackmail Spyware
    This spyware type monitors online conversations and takes screenshots of visited websites or chats. The attacker looks for compromising information, such as inappropriate conversations or visits to adult websites, to blackmail the user. 
  • Keyloggers
    This type tracks every keystroke entered on a keyboard. Despite collecting small amounts of data, such as individual characters, keyloggers can be extremely harmful, as they gather critical information like usernames, passwords, and messages. Their simplicity makes them difficult to detect.

Spyware can be hard to combat because it often evades detection better than other forms of malware. Basic antivirus software that relies on static file scans may miss it. More advanced antivirus programs are required to monitor unusual activity, detect programs that activate during sensitive tasks, and scan for known spyware scripts. Modern antivirus software uses script-reading technology to detect known spyware code, increasing its ability to identify different types of spyware. Additionally, antivirus programs monitor outgoing data from the computer. If a program attempts to upload sensitive information, a robust antivirus software can detect and block these transfers, preventing data theft. While spyware may not directly harm data, it poses a significant risk by stealing personal information and violating privacy.

 

Adware

Adware can be some of the most frustrating and troublesome malware as it directly impedes a user’s experience.  Often adware and spyware will work together on an infected computer to display targeted ads and steal personal information.  Common traits of adware include:

  • Ads
    As the name suggests, adware intends to display ads.  These can be pop-ups, banners, in-text ads, directing a web browser to unwanted websites, and other ads that interrupt the user.
  • Data Collection
    Most adware displays targeted ads, meaning that the adware is bundled with spyware.  These will show ads more relevant to the user in an attempt to have the user buy a product or click on the ad.
  • Persistence
    Adware can be incredibly difficult to remove, often modifying security settings and activating itself at system startup.

Adware is not just the annoyance of ads popping up, but it can also steal information or allow other malware to be downloaded to your computer.  The good news is that adware is very easy to detect by most antivirus software. The most malicious adware is constantly active, with continual pop-ups. The downside is that, by changing so many settings, adware can damage your computer quickly and let in more malware before the antivirus has a chance to stop the adware. 

Adware is often more bothersome than harmful, but when it is harmful it acts quickly.  Antivirus software can remove the malware without issue in most cases.  Often, adware is downloaded by the user in a Trojan.  This means that avoiding most adware is as easy as being aware of what is less likely to be trusted software. 

 

Rootkits

Rootkits are among the most challenging types of malware to combat because their primary goal is to remain hidden and persist within a system. Even the most advanced antivirus software often struggles to detect them. Rootkits commonly exhibit the following traits:

  • Start-Up
    Rootkits are designed to activate as early as possible, often before users have a chance to disable them.
  • Persistence
    They aim to maintain long-term access to the system, often surviving reboots and, in some cases, even factory resets.
  • Privilege Escalation
    By elevating their system permissions, rootkits can disable security features and infect critical system components.
  • Concealment
    Rootkits use various techniques to manipulate what security systems and antivirus programs can detect. As a result, even when engaging in suspicious activity, they often go unnoticed.

The term “rootkit” is derived from the fact that these malicious programs embed themselves deep within the system’s core, the root. The specific location of their operations determines the type of rootkit:

  • User-Mode Rootkits
    These operate at the user level, meaning they have the same permissions as the user. While they can hide effectively, they are typically the easiest type of rootkit to remove.
  • Kernal-Mode Rootkit
    These embed themselves in the system’s kernel, the core part of the operating system that manages hardware interactions, memory, how the keyboard and mouse operate, and other critical processes. Removing a kernel-mode rootkit without damaging the system is nearly impossible.
  • Bootkits
    These infect the boot record, which allows them to load before the operating system does, ensuring the malware is active before the user has any control.
  • Virtual Rootkits
    These infect the boot record, which allows them to load before the operating system does, ensuring the malware is active before the user has any control.
  • Firmware Rootkits
    These infect the firmware of hardware components, such as the BIOS or network cards. Even if the operating system is reinstalled, the malware can persist if the firmware remains infected.

Rootkits can be extremely difficult to detect and remove. Most antivirus software is not equipped to handle them, and specialized tools are often necessary. Depending on the complexity of the rootkit, the operating system may need to be re-installed, the firmware updated, or a full factory reset may need to be performed. In extreme cases, wiping the disk or calling in a professional might be required to remove a rootkit.

 

Fileless malware

Fileless malware is one of the most challenging forms of malware to detect. Unlike other types, it does not write data to the disk, instead operating entirely from the computer’s memory. Fileless malware typically has the following characteristics:

  • Fileless Operation
    Fileless malware gets its name from the fact that it does not save any files to a location on the disk, but instead remains in the memory of the computer.  This deletes the malware upon a system reboot, however, it uses methods to force the computer to retain the malware.
  • Leverage Legitimate Tools
    It often exploits existing tools and programs on the computer to carry out malicious activities, making it harder for security software to detect the threat since it’s using trusted software.
  • No File Footprint
    With no executable files on the disk, traditional antivirus programs struggle to find it during system scans.
  • Persistence
    Fileless malware often creates scheduled tasks or registry entries that relaunch it when the system reboots. Unless these tasks are deleted, the malware can continue to return and operate.

Fileless malware is like an undying ghost in the system.  It is elusive, persistent, and difficult to remove. It’s designed to evade antivirus detection and reappear even after deletion. Luckily, due to how the malware is designed, if it is detected it can be removed.

  1. Disconnect from the Internet
    Fileless malware often relies on the internet to re-download itself into the system’s memory. Disconnecting from the network prevents this from happening.
  2. Use Specialized Software
    Tools like Volatility Framework and CrowdStrike can detect and remove fileless malware effectively.
  3. Update and Patch
    Make sure all software and systems are up to date and reset settings to default where possible. This helps eliminate any traces of the malware.
  4. Reboot the computer
    After rebooting, fileless malware may attempt to reinstall itself. High-end antivirus programs should detect and stop this behavior, removing the malware and any associated protocols.

Only reconnect your computer to the internet after you’re confident the fileless malware has been fully removed. If you suspect any lingering infections, disconnect again and consult a professional. Fileless malware is one of the most persistent forms of malware and removing it can require considerable effort and expertise.

 

Malware comes in many forms, and protecting your computer becomes increasingly difficult as hackers and their tools evolve. From viruses and worms to ransomware and spyware, understanding the various types of malware and their behaviors is crucial for effective defense. By staying informed about the latest threats and employing comprehensive cybersecurity measures, we can safeguard our digital environments against these malicious actors.

At Black Dog Forensics, we specialize in providing top-tier digital forensic services, helping you identify, analyze, and mitigate the impact of malware on your systems. Our expert team is dedicated to ensuring your data remains secure and your operations uninterrupted. In the face of increasingly sophisticated cyber threats, we are your trusted partner in navigating the complexities of cybersecurity.

To learn more about our services and how we can assist you in defending against malware, please click here.  If you have any questions or require assistance, please call our lab at (346) 200-6097, (800) 517-2535, or email retrievethetruth@bdforensics.com.  Protecting your digital assets is our top priority, and together, we can build a resilient defense against even the most advanced malware threats.